Comodo Says Two More RAs Compromised 144
Trailrunner7 writes "Officials at Comodo have acknowledged that an additional two registration authorities affiliated with the company have been compromised in the wake of the high-profile attack on the company that was disclosed last week. Addressing a list of concerns about Comodo's practices raised by customers and browser vendors in the wake of the attack, Alden said that the company is now in the process of rolling out a new two-factor authentication system for its RAs. Comodo also is installing other security measures as a result of the attack."
Do you still have Comodo CA on your browser? (Score:1, Insightful)
Fuck... (Score:5, Insightful)
Other than inertia, is there any reason to give these guys a second chance, rather than just drop them from the default trusted CAs list and let the company sell itself for scrap? Generating SSL certs is technologically trivial, anybody can do it at home with commonly available free software. Essentially, the only purpose of a CA is to be competent and trustworthy about who they generate certs for. CAs aren't really software or technology companies, they are much closer to the position of escrow services or trust companies. Generating certs is just the minor 'paperwork'. Generating only the right certs for only the right people is the job. If they can't do that, they are worse than useless.
Removed (Score:4, Insightful)
I have now removed Comodo as a trusted CA on my systems, and have advised colleagues of the three known occasions on which they have failed to act as a responsible CA. The game is up.
The Mozilla inclusion policy [mozilla.org] for maintaining CAs in the default list states that:
I hope that Mozilla now review the inclusion of Comodo's cert.
Meaningless (Score:4, Insightful)
The system of "certificate authority" on which SSL security ostensibly relies, has deteriorate to an essentially meaningless state.
This system is based primarily on trust. Trust requires at least a basic level of knowledge or understanding (this is a crucial difference between "trust" and "faith" :) ).
If you have not taken a look at your browser's "trusted certificate authority list" - now may be the time. I am a Firefox user, and I know that the list in Firefox contains numerous organizations with trustworthy names like "QuoVadis Limited", "TÜRKTRUST Elektronik Sertifika Hizmet Salaycs" and "XRamp Global Certification Authority". Do you know any of these companies? Do you personally have any reason to trust in their judgment, honesty or integrity?
For each company Firefox web site holds a document by some accounting firm (like the KPMG which has proven itself untrustworthy and unreliable even in matters of finance where they presumably have a clue) that purports to audit intentions and pracitces of said company wrt. issuance of said certificates. To put it simply that's worth as much as their audit of Lehman Brothers.
Bottom line - your browser essentially allows a random selection of highest bidders or politically connected entities to define what web sites are, in turn, to be trusted. It's pointless and there is little reason to believe that anything that say, sign or claim has any value whatsoever beyond the level of background noise.
Treat SSL the way you treat SSH - save specific certificates for sites, and watch for unexpected changes. Regardless of what the certificate or the "green location bar" say, don't trust them further than you can throw them.